Commit 13764128 authored by Oliver Neukum's avatar Oliver Neukum Committed by Mauro Carvalho Chehab
Browse files

go7007: add sanity checking for endpoints 



A malicious USB device may lack endpoints the driver assumes to exist
Accessing them leads to NULL pointer accesses. This patch introduces
sanity checking.

Reported-and-tested-by: default avatar <syzbot+cabfa4b5b05ff6be4ef0@syzkaller.appspotmail.com>

Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
Fixes: 866b8695 ("Staging: add the go7007 video driver")
Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
parent ebeacb1f

drivers/media/usb/go7007/go7007-usb.c

+10 −1
Original line number Diff line number Diff line
@@ -1132,6 +1132,10 @@ static int go7007_usb_probe(struct usb_interface *intf, 
		go->hpi_ops = &go7007_usb_onboard_hpi_ops;

	go->hpi_context = usb;



	ep = usb->usbdev->ep_in[4];

	if (!ep)

		return -ENODEV;



	/* Allocate the URB and buffer for receiving incoming interrupts */

	usb->intr_urb = usb_alloc_urb(0, GFP_KERNEL);

	if (usb->intr_urb == NULL)
@@ -1141,7 +1145,6 @@ static int go7007_usb_probe(struct usb_interface *intf, 
	if (usb->intr_urb->transfer_buffer == NULL)

		goto allocfail;



	ep = usb->usbdev->ep_in[4];

	if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)

		usb_fill_bulk_urb(usb->intr_urb, usb->usbdev,

			usb_rcvbulkpipe(usb->usbdev, 4),
@@ -1263,9 +1266,13 @@ static int go7007_usb_probe(struct usb_interface *intf, 


	/* Allocate the URBs and buffers for receiving the video stream */

	if (board->flags & GO7007_USB_EZUSB) {

		if (!usb->usbdev->ep_in[6])

			goto allocfail;

		v_urb_len = 1024;

		video_pipe = usb_rcvbulkpipe(usb->usbdev, 6);

	} else {

		if (!usb->usbdev->ep_in[1])

			goto allocfail;

		v_urb_len = 512;

		video_pipe = usb_rcvbulkpipe(usb->usbdev, 1);

	}
@@ -1285,6 +1292,8 @@ static int go7007_usb_probe(struct usb_interface *intf, 
	/* Allocate the URBs and buffers for receiving the audio stream */

	if ((board->flags & GO7007_USB_EZUSB) &&

	    (board->main_info.flags & GO7007_BOARD_HAS_AUDIO)) {

		if (!usb->usbdev->ep_in[8])

			goto allocfail;

		for (i = 0; i < 8; ++i) {

			usb->audio_urbs[i] = usb_alloc_urb(0, GFP_KERNEL);

			if (usb->audio_urbs[i] == NULL)